AMENDMENT AND RESPONSE UNDER 37 CFR § 1.1 11 

Serial Number: 09/518,664 
Filing Date: March 3, 2000 

Title: APPARATUS AND METHOD FOR AUTOMATICALLY AUTHENTICATING A NETWORK CLIENT 



IN THE CLAIMS 

Please amend the claims as follows: 

1. (Currently Amended) An authentication system suitable for automatically providing 
authentication to a user at a client node, the user providing a user secret and requesting access to 
network resources resident at one or more server nodes in a distributed network system, said 
authentication system comprising: 

a local application program interface for receiving the user secret, said local application 
program interface in communication with a requested network resource and the client node; 

a cryptography service node including means for providing a common key and algorithm, 
and means for providing a client/server session key and algorithm , wherein the session key is 
unique to a session and if the session terminates the session key becomes invalid ; and 

an authentication database in communication with said local application program 
interface and with said cryptography service node, said authentication database including 

an authentication secret associated with the user; 

means for encrypting said authentication secret using said common key and 
algorithm; and 

means for encrypting said common key using said client/server session key and 
algorithm; 

wherein the local application program interface sends an encrypted authentication secret, 
an encrypted common key, and the session key to the client node for use with the requested 
network resource, and wherein the common key is a shared and same key. 

2. (Original) The authentication system of claim 1 further comprising means for encrypting 
and decrypting said authentication secret using a secret store key and algorithm. 
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3. (Original) The authentication system of claim 1 further comprising, 

a network resource identifier associated with said requested network resource; and 
a network policy associated with the user and with said network resource 
identifier. 

4. (Currently Amended) The authentication system of claim [[1]] 3 wherein said 
authentication database further comprises, 

a second network resource identifier associated with a second network resource; 
a second authentication secret associated with the user; and 
a second network policy associated with the user and with said second network 
resource identifier. 

5. (Original) The authentication system of claim 4 wherein said authentication database 
further comprises means for encrypting and decrypting said second authentication secret using 
said secret store key and algorithm. 

6. (Original) The authentication system of claim 4 wherein said authentication database 
further comprises means for encrypting and decrypting said second authentication secret using a 
second secret store key and algorithm. 

7. (Original) The authentication system of claim 1 wherein said cryptography service 
further comprises means for generating an authentication secret from the user secret. 



8. (Original) The authentication system of claim 1 wherein said common key comprises a 
symmetric key. 
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9. (Currently Amended) A method for automatically authenticating a user at a network 
client node in a distributed network system in response to a user request for access to network 
resources resident in one or more server nodes, said authentication method comprising the steps 
of: 

providing a network resource identifier, a network resource policy, and an authentication 

secret to an authentication database, said network resource identifier associated 

with the requested network resource; 
retrieving said authentication secret in response to said user request, said authentication 

secret associated with the user and with said network resource identifier; 
encrypting said authentication secret with a common key and algorithm, wherein the 

common key is a shared and same key; 
encrypting said common key and algorithm with a client/server session key and 

algorithm , wherein the session key is unique to a session and when the session 

terminates the session key becomes invalid ; and 
sending said encrypted authentication secret and said encrypted common key to the client 

node. 



10. (Original) The method of claim 9 further comprising the steps of: 

decrypting said encrypted common key using said client/server session key; 
decrypting said encrypted authentication secret using said decrypted common key and 
algorithm; and 

providing said decrypted authentication secret to the requested network resource. 



1 1 . (Original) The method of claim 9 further comprising the step of accessing said network 
resource policy prior to said step of retrieving said authentication secret, said network resource 
policy associated with the user and with said network resource identifier. 
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12. (Original) The method of claim 9 further comprising the steps of: 
obtaining a list of client algorithms supported by the client node; 
obtaining a list of server algorithms supported by the server node; 
comparing said list of client algorithms with said list of server algorithms so as to 

determine the strongest algorithm common to both said list of client algorithms 
and said list of server algorithms; and 
using said strongest algorithm as said common key and algorithm. 

13. (Original) The method of claim 9 wherein said common key comprises a symmetric key. 

14. (Original) The method of claim 9 further comprising the steps of: 
negotiating the strongest common algorithm between server and client node; and 
using said strongest algorithm as said client/server session key and algorithm. 

15. (Currently Amended) A method for authenticating a client to a network resource, 
comprising: 

receiving a client request for a network resource; 

authenticating the client and creating a secure session; 

creating an authentication secret for access to the network resource; 

encrypting the authentication secret within a common key, wherein the common key is a 
shared and same key; 

encrypting the common key with a session key associated with the secure session^ 
wherein the session key becomes invalid when the secure session terminates ; and 

transmitting to the client the encrypted common key, the encrypted authentication secret, 
and the session key for use in accessing the network resource. 



16. (Previously Presented) The method of claim 15 further comprising, determining a 
strongest encryption and decryption algorithm supported by the client when encrypting the 
authentication secret within the common key. 
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17. (Previously Presented) The method of claim 15 further comprising receiving, by the 
network resource, a decrypted version of the authentication secret from the client and 
authenticating the client for access to the network resource based on the decrypted authentication 
secret. 

18. (Previously Presented) The method of claim 15 further comprising associating policies 
with the authentication secret, wherein the policies define access rights of the client to the 
network resource. 



19. (Previously Presented) The method of claim 15 negotiating with the client encryption 
and decryption algorithms for use in encrypting the authentication secret and the common key. 

20. (Previously Presented) The method of claim 15 associating the authentication secret with 
the client and the network resource and housing the association in a secret store for additional 
secure sessions established by the client. 



